Pacemakers get hacked on TV, but could it happen in real life?
'At this point, those devices are not up to standard.'
Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.
He's also a diabetic and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.
"I'd rather stab myself six times a day with a needle and syringe," Radcliffe recently told security experts meeting near Washington, D.C. "At this point, those devices are not up to standard."
Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors and scanners is growing as healthcare facilities increasingly rely on devices that connect with each other, with hospital medical record systems and – directly or not – with the Internet.
Radcliffe made headlines in 2011 by showing a hackers' convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.
While there have been no confirmed reports of cybercriminals gaining access to a medical device and harming patients, the Department of Homeland Security is investigating potential vulnerabilities in about two dozen devices, according to a Reuters report. Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.
"The good news is, we haven't seen actual active threats or deliberate attempts against medical devices yet," said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.
The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital's data system – especially if the devices haven't been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.
In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.
"There are not that many bad…guys whose goal in life is to go and randomly mess with patients in hospitals," Hoyme said. "They want money, not to shut off the ventilator of a particular patient."
Hospitals are targets because they collect so much data, from patients' Social Security numbers and financial information, to diagnosis codes and health insurance policy numbers.
Radcliffe estimates that medical identity information is worth 10 times more than credit card information – about $5 to $10 per record on the black market compared to 50 cents per account for credit card information.
Crooks can use it to apply for credit, file fake claims with insurers or buy drugs and medical equipment that can be resold.
And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.
[See also: Hackers swipe health data of 405K.]
New FDA Guidelines
Yet there are few cybersecurity standards for medical devices.
In October, the FDA issued guidance outlining what security features developers should bake into their products when seeking approval for a new device.
The guidelines, which aren't binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.
They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.
While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.
Nonetheless, the FDA's guidance has, in effect, changed the conversation among device makers from, "'Do I believe this is a real threat?' to ‘What do I have to do to satisfy the FDA?'" said Hoyme.
By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.